Skip to Content
test
0 %
SQL Execute Immediate
Details
// Explore More Tutorials

SQL Execute Immediate

12/12/2017

Leveraging SQLScript in Stored Procedures & User Defined Functions

You will learn

In contrast to executing a string using EXEC, executing the string using EXECUTE IMMEDIATE returns a result set.
Please note - This tutorial is based on SPS11


Step 1: Build your module

Switch to the procedure editor.

procedure editor

Replace the EXEC keyword with EXECUTE IMMEDIATE

execute immediate
  1. Click “Save”.
save

Use what you have learned already and perform a build on your hdb module.

Step 2: Run the call statement

Return to the HRTT page run the call statement again.

HRTT

You will notice the implicit result set is now returned to the console. But you still cannot work further on this result set.

result
Step 3: Change the CALL statement

Now change the CALL statement again, this time insert the value for the input parameter as ‘ ’ as shown here. Run the CALL statement again

modify call statement

You will notice the count is 10, which refers to all products except for Laser printers.

count
Step 4: Change CALL statement again

Now change the CALL statement. This time insert the value for the input parameter as ‘OR 1 = 1’ as shown here. Run the CALL statement again.

modify call statement

You will notice the count is now much higher, 106. This illustrates the possibility of SQL injection. The always true OR-condition (1=1) will enforce that the complete where-condition will be evaluated to true for each record.

new count

Next Steps

Next Steps

Back to top